I am considering blocking Broadcast and Multicast traffic through my network. Im just not sure what the ramifications are of doing so…
What services would I be blocking if I drop all broadcast and multicast packets?
(Discovery, NTP, OSPF, … ?)
You would effectively shut down your network…IPv4 requires Layer2 multicast and broadcast for ARP to work along with a number of other protocols.
Limiting the rate of broadcast/multicast traffic would be a better solution…you accomplish this by turning on the firewall for bridge traffic in bridge settings and writing rules to limit broadcast/multicast appropriately.
I see. Is there any way to distinguish the traffic, arp or otherwise? If I was using a static apt table, would blocking multicast/broadcast prevent clients from communicating with the gateway? Would doing so also isolate clients from each other on this network?
Thanks for the response.
Is your goal to isolate clients at Layer 2?
Yes, definitely. I’m also not sure what an acceptable level of broadcast/multicast traffic would be on a medium sized bridged network.
Wireless, Wired or Both?
Wireless, Wired or Both?
It’s both. At the head end, I have a tough switch powering various access points, though. Can’t do port isolation without implementing VLANs first on those devices..
So while clients can’t speak with their next door neighbors (attached to the same rb2011 or cloud router switch), they could communicate with clients connected to other access points.
For wireless - check the following setting on the WLAN
default-forwarding=noFor wired
it varies depending on the switch, but Private VLANs/Port Isolation are the way to go.